10th Apr 2003 [SBWID-6131]
COMMAND
Microsoft Proxy Server and Internet Security and Acceleration Server
DoS
SYSTEMS AFFECTED
Microsoft Proxy Server 2.0 and Internet Security and Acceleration
Server 2000
PROBLEM
In iDEFENSE Security Advisory 04.09.03
[http://www.idefense.com/advisory/]:
Microsoft Corp.'s Internet Security and Acceleration Server (ISA)
Server integrates an extensible, multi-layer enterprise firewall and a
scalable high-performance web cache. It builds on Microsoft Windows
2000 security and directory for policy-based security, acceleration and
management of internetworking. More information is available at
http://www.microsoft.com/isaserver/ . MS Proxy 2.0 is the predecessor
to ISA Server, more information is available at
http://www.microsoft.com/isaserver/evaluation/previousversions/default.asp.
DESCRIPTION
===========
A vulnerability exists in ISA Server and MS Proxy 2.0 that allows
attackers to cause a denial-of-service condition by spoofing a
specially crafted packet to the target system. Another impact of this
vulnerability is the capability of a remote attacker to generate an
infinite packet storm between two unpatched systems implementing ISA
Server or MS Proxy 2.0 over the Internet.
Both ISA Server and MS Proxy 2.0, by default, install a WinSock Proxy
(WSP) service wspsrv.exe, designed for testing and diagnostic purposes.
The WSP service creates a User Datagram Protocol socket bound to port
1745. A specially crafted packet can cause WSP to generate a continuous
flood of requests and reply requirements.
ANALYSIS
========
In the case of the attack scenario for an internal LAN attacker causing
a denial of service, this malformed packet must meet the following
criteria:
* The source and destination IP are the same as the ISA Server.
* The source and destination port is 1745.
* The data field is specially crafted and resembles the request format.
An attacker with access to the LAN can anonymously generate a specially
crafted UDP packet that will cause the target ISA Server to fall into a
continuous loop of processing request and reply packets. This will
cause the ISA Server to consume 100 percent of the underlying system's
CPU usage. It will continue to do so until the system reboots or the
WinSock Proxy (WSP) service restarts.
In the case of the attack scenario of a remote attacker causing a
packet storm between two systems running ISA Server or MS Proxy 2.0,
the malformed packet must meet the following criteria:
* The source IP is one of the targets
* The destination IP is the other target
* The source and destination port is 1745.
* The data field is specially crafted and resembles the request format.
DETECTION
=========
iDEFENSE has verified that Microsoft ISA Server 2000 and MS Proxy 2.0
are both vulnerable to the same malformed packet characteristics
described above.
Wspsrv.exe is enabled by default in Proxy Server 2.0. The Microsoft
Firewall server is enabled by default in ISA Server firewall mode and
ISA Server integrated mode installations. It is disabled in ISA Server
cache mode installations.
SOLUTION
WORKAROUND
==========
To prevent the second attack scenario, apply ingress filtering on the
Internet router on UDP port 1745 to prevent a malformed packet from
reaching the ISA Server and causing a packet storm.
RECOVERY
========
Restart either the WinSock Proxy Service or the affected system to
resume normal operation.
VENDOR FIX/RESPONSE
===================
Microsoft has provided fixes for Proxy Server 2.0 and ISA Server at
http://www.microsoft.com/technet/security/bulletin/MS03-012.asp
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
